-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Jun 08, 2016 at 01:02:54PM +0000, Bob wrote:
[...]
Hello Tomas,
Thanks for your explanation. At my end a funny thing happens which
now questions the whole web based authentication of this provider. I
have discovered a simple link (which happens during a quick
redirection after pressing login button)
http://<link>/login1.html?a=%3F<username>%2B%2F%40&b=%3F<password>%2B%2F%40
I logout to kill my session and then put the same on browser, I
logged in straight :-)
Again, your browser is pulling your leg. What you are doing with this
command line is equivalent to sending your filled in login form (you
are sending what the browser would do via "URL query parameters".
The next step is the server sending back a fresh session ID in a cookie
(and possibly a redirect to the "real" page). From then on you're in
business.
How can I send that link through command line then ?
Simple: just "curl" it:
curl 'http://<link>/login1.html?a=%3F<username>%2B%2F%40&b=%3F<password>%2B%2F%40'
but as I said, this'll just give you the first step in a multi-step
process. You'd have possibly to follow (at least) one redirect,
offering the cookie you just harvested. That's where curl's options
- -c (set cookie jar) and -L (follow redirect) come in.
Try to find a way to watch what your browser's doing. It's much
more instructive than reading my incomplete guesses :-)